On Thu, Apr 30, 2026 at 12:55:12PM +0200, Fredrik Markstrom wrote: > Perf callchain unwinding follows userspace frame pointers via > copy_from_user. A corrupted or malicious frame pointer can point > into device I/O memory mapped into the process (e.g. via UIO or > /dev/mem), causing the kernel to read from MMIO regions in PMU > interrupt context. Such reads can have side effects on hardware > (clearing status registers, advancing FIFOs, triggering DMA) and > on arm64 can produce a synchronous external abort that panics the > kernel.
Hmm, but why is unwinding special in this case? If userspace has access to sensitive MMIO/device mappings, it can presumably pass them to syscalls and trigger crashes all over the place? Will
